Researchers detail novel cryptomining attack

Researchers at cyber security vendor Darktrace have unearthed what they say is the first documented case of NBMiner cryptomining malware being deployed through a PowerShell-based attack chain that injects malicious code directly into legitimate Windows processes.

The attack was detected in July on a retail and ecommerce customer's network, with Darktrace's threat research team led by Tara Gould, and analyst Keanna Grelicha.

Darktrace said it represents a significant evolution in cryptojacking techniques, with threat actors using increasingly sophisticated methods to avoid detection whilst mining cryptocurrency on compromised systems.

Cryptojacking attacks have surged alongside the growing cryptocurrency market, which has a capitalisation of almost US$4 trillion, making illicit mining an attractive proposition for criminals seeking to monetise compromised computing resources.

The attack began when Darktrace's network monitoring detected an infected desktop device connecting to a suspicious endpoint located on the Internet Protocol address 45.141.87.195 over port 8000.

From there, the service downloaded a PowerShell script called infect.ps1 that served as the initial dropper for the malicious payload.

The researchers' analysis of the heavily obfuscated PowerShell script showed it contained multiple variables of Base64 and XOR encoded data.

A first stage data blob is decoded using an XOR key of 97 to produce a legitimate AutoIt executable that is stored in the system's application data directory.

The script's second stage involved writing an encrypted binary to the system, while a third component decoded to an obfuscated AutoIt script designed specifically for process injection, which the researchers said showed the attackers' sophisticated understanding of Windows internals.

Once decoded, the AutoIt loader employed an evasion technique by targeting the legitimate Windows Character Map application (charmap.exe) as its injection host, launching the benign process silently before obtaining full access privileges to its memory space.

Other evasion techniques include anti-sandboxing by sleeping to delay detection in an analysis environment.

The malware payload also checks which antivirus products are installed and will only continue if Windows Defender is the sole protection.

Current users' privileges are also checked to see if they have administrator rights, and if not, the malware attempts to bypass user account control (UAC) prompts to elevate privileges.

Inside the legitimate process, the malware allocated executable and writable memory regions, decrypted the NBMiner payload using an XOR key of 47, and wrote the cryptominer directly into the allocated space before spawning a new execution thread.

This process injection technique effectively disguises the malicious mining activity as legitimate system behaviour, making detection significantly more challenging for traditional security tools that rely on process-based monitoring.

The injected NBMiner payload included multiple anti-analysis features, checking for Task Manager processes, attempting to terminate Windows file signature verification tools, and implementing User Account Control bypasses to maintain persistence on infected systems.

When active, the cryptominer connected to the asia.ravenminer.com mining pool using the Kawpow algorithm, targeting Ravencoin cryptocurrency whilst hiding its process window to avoid user detection.

Cryptojacking attacks are often dismissed as low-severity issues, but they can be precursors to more serious compromises, potentially leading to further exploitation.